What better thing to do on Sunday then read and then comment on a blog post about breaking the compliance rules of Shabbat? Bromium's Tal Klein, a self-proclaimed Bromide, provides an amusing look at religious rule-breaking:
Enter the Shabbat industry: an entire business model dedicated to keeping devout Jews in compliance with divine policy while creatively circumventing it – in search of enablement (there’s even Shabbat toilet paper).
So when IT decides to play Moses and declare a policy or implement software that puts users in a box, the expectation should be that users will find a creative way around it (and that the bad guys will find a way in), all while ostensibly in-policy.
Tal makes a typical point; to put it simply, water flows downhill so if you try and block the water you can expect it to try and flow around.
My first issue with this line of reasoning is that it over-simplifies the compliance market. Of course it is easy to say enabling is preferred to disabling, but that's a false dichotomy. Disabling unnecessary and unused services can be justified, for example, because it reduces harm with no expected workaround or demand for flow around. It's like finding a leaky board in a ship everyone is sailing on. Yet, Tal seems to suggest that this would be like "pretending to know what's actually happening" and he portrays compliance as lagging and behind:
Policy can’t be a shackle. Compliance standards are by their very nature at least a generation behind modern technology. We can’t predict what users will need in order to do their jobs tomorrow, so we shouldn’t force them to work in a whitelisted box – doing so is pretending to know what’s actually happening. No enforcement can be tough enough to stop the tide of ingenuity. Not whitelisting, not remote wipe, not MDM, not DLP, not VDI. People want to go up to their floor on Shabbat, and they don’t want to take the stairs.
Back to the water analogy, stopping the flow (assuming that is the real intent) involves knowing a lot about issues involved, just like when building a dam. There are benefits to creating a box and stopping flow — disablement. Those who assess the effectiveness of the controls can in fact know a lot about harnessing the power of creative forces, as illustrated below.
Tal says that "…no enforcement can be tough enough to stop the tide…" but obviously, just like building a dam, economic and political factors influence the success of compliance more than engineering issues. The "tough" enforcement is often a question of resolve rather than technical prowess. Moreover, regulators usually do not race towards the latest technology precisely because all those who are regulated also do not race towards it; it is a commonality of acceptance rather than the choices of a few outliers that defines progress. A compliance market definitely is not as simple as a decision whether to make policy a "shackle" or not.
My second issue extends from this first point. A perfect example of the complexities of compliance is the assessment of harm. This is not a failure of compliance "awareness" but rather a burden placed on regulators by those who are regulated. Tal's conclusion "People want to go up to their floor on Shabbat, and they don’t want to take the stairs" is an example that begs the question "so what?" The impact of elevator versus stairs for those who can use either without any consequence to themselves or anyone else is a false and mostly meaningless dichotomy (with the exception of those who can't take the stairs). Consider instead the recent compliance case of Chevron
Federal authorities have opened a criminal investigation of Chevron after discovering that the company detoured pollutants around monitoring equipment at its Richmond refinery for four years and burned them off into the atmosphere, in possible violation of a federal court order…
Pollution is by definition harmful, unlike a soft question of stairs versus elevator and what people want. The pollution question becomes how to use compliance to spur innovation and reduce risk of harm or known harm that can have a very lasting effect.
Caterpillar in the early 2000s provide an excellent counter-example. They created more than 500 patents on clean diesel to reduce documented illness and absence for those involved in heavy machinery operations. The reduced sick-time and increased productivity was the result of a compliance framework that altered the market enough to allow for innovation — polluting was made less economically advantageous. Earlier this year the company thus cited their innovation as a partnership with regulators; both working together improve the overall result.
"For Caterpillar, it's fitting that we're celebrating cutting-edge technology in California as this state is the birthplace of Caterpillar innovation" [...] "Today we're marking another transformation in the industry: engines that offer our customers superior performance at near zero emissions."
You might even say Caterpillar was doing what Bromium is positioning itself to do — bring to market a cleaner and lower-risk user experience due to compliance requirements for the same. Keep this in mind when you read Chevron's response to the investigation of their bypass pipe:
Federal criminal investigators are trying to determine who at Chevron was aware of the bypass pipe and whether the company used it intentionally to deceive air-pollution regulators. Chevron says its use was inadvertent…
Bruce Schneier's recent book, Liars & Outliers, gives a long and detailed analysis of this phenomenon. People often break out of group and social boundaries, resisting conformance and compliance. Their groups tolerate this in many contexts where there is some benefit but when there is harm…compliance does sometimes actually slam the door shut. An inadvertent pollution pipe will not be rewarded as innovative under societal/regulatory standards, yet it would be under Tal's post.
There's a nuanced relationship rather than a simple case of regulators always being "behind" or "pretending". Often regulators understand risk more broadly than those they have to reign in for the same reason they can predict consequences better than any individual user. Regulators often see the forest for the trees, working across many different needs, which allows them to bring innovation frameworks to those regulated. One of the reasons for this complex relationship is because regulations and compliance tend to be centred around risk management; they account for some principle of consequence/harm both for the individual and groups.
So rather than just throw our hands up on compliance because user ingenuity always wins we should continue to study methods and science of stopping a tide with the aim of finding and improving the natural balance. A measured approach to compliance can be a powerful generator of ingenuity that also is beneficial to groups of users.
Tal concludes with "The challenge, then, is to develop a security policy around enablement, not the other way around."
We have many examples of innovation in security where enablement was built around security policy. What benefit comes if we reverse this? Why not use policy to define the need for security and generate demand for Bromium? Policies of preventing and detecting breaches, for example, were not developed around enablement but still stimulated innovation in sandboxes and segmentation.
Back to Tal's analogy of religious Jews and compliance, and to put it in terms of the famous Israeli philosopher Martin Buber, the key is perhaps to think of regulators and users as less of an Ich-Es relationship and more an Ich-Du.
Those who work together generate balanced policy, those who work opposed have imbalanced policy. Balanced policy can shackle harm while still enabling innovation. Benefits even can come from stopping a tide, with ingenuity and positive innovation being one of them:
Beaver Lodge, Richard Orr (c) Dorling Kindersley